This is a very simple openssl howto. I made this maynly because I'm mostly to lazy to remember how to make a key and a csr (certificate signing request). Here are the steps you have to enter at your commandline to get a key and csr file:
Create a password protected key:
openssl genpkey -out domainname.key -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -pass pass:hello
Or a non password protected one
openssl genpkey -out domainname.key -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
Create the signing request. Enter the url or email address in the CN (Common Name) field
openssl req -new -key domainname.key -out domainname.csr
Verify your input:
openssl req -noout -text -in domainname.csr
Here is another example on how to make a self signed cert with one command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
When you get a certicate, you probably like to check what's in it:
openssl x509 -text -in cert.pem
And for some applications you need the fingerprint of the certificate, here are two variants for md5 and sha1 fingerprints:
openssl x509 -md5 -fingerprint -in cert.pem openssl x509 -sha1 -fingerprint -in cert.pem
When you get a password protected cert and don't like to enter the passphrase each time a deamon gets started, you can unlock it with the following command:
openssl rsa -in certin.pem -out certout.pem
If you have to check if a key and cert belogs together, you can start a openssl internal web server in the following way:
openssl s_server -key www.key -cert www.crt -www
You can even connect to port 4433 with https to that server.
To test a remote cerificate, you can use the openssl internal client.
openssl s_client -connect www.example.com:443 -showcerts -CApath /etc/ssl/certs/ # HTTPS openssl s_client -connect www.example.com:465 -showcerts -CApath /etc/ssl/certs/ # SMTPS openssl s_client -connect www.example.com:995 -showcerts -CApath /etc/ssl/certs/ # POP3S openssl s_client -connect www.example.com:25 -starttls smtp -showcerts -CApath /etc/ssl/certs/ # STARTTLS over SMTP
Sometimes you have to deal with PKCS#12 certificate files, they can be converted from and to PEM format. First line converts pem to PKCS#12, second line does the opposite (PKCS#12 file have sometome the extension .pfx and sometimes .p12):
openssl pkcs12 -export -out mycert.p12 -in mycert.pem -name "Certificate" openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes